Earlier this year, widespread exploitation of four previously unknown or zero-day Microsoft Exchange Server vulnerabilities led to more than 30,000 servers being attacked [ZDNet]. Microsoft indicated attackers were securing access to Exchange Servers either through these bugs or stolen credentials and then creating a web shell to hijack the system and execute commands remotely.
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts. If used in an attack chain, vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft and potentially further malware deployment.
While Microsoft issued emergency patches for the four vulnerabilities, historically many organizations are too busy to install them. Partnering with a managed service provider, like Magna5, can help you seamlessly analyze vulnerabilities and distribute patches across your network companywide to reduce security downtime risks.
The power of rapid response can truly make a difference
Chris Krebs, the former director of Cybersecurity and Infrastructure Security Agency (CISA), believes the Exchange Server bugs will disproportionately affect small businesses and organizations in the education sector as well as state and local governments [ZDNet]. Once adversaries penetrate a server, they can access email accounts, exfiltrate data, move laterally in victim environments, and install additional accesses and malware to allow long-term access to victim networks.
Recently, Magna5 was able to help a customer prevent exploitation of a zero-day web shell that potentially could be used to download emails or access other parts of their network. The architecture firm was currently protected with our premium endpoint security bundle. When the Microsoft Exchange Server patches were released, Magna5 proactively eliminated the vulnerability gaps with real-time patch management and threat intelligence to identify indicators of compromise. In addition, through our partnership with Huntress, we were able to detect an active web shell present in their Exchange Server within 24 hours of the public release of the zero-day patches. With Huntress identifying this indicator of compromise, it allowed us to respond quickly and isolate the machine before an attack could be exploited further.
Boosting your cybersecurity resilience
Exploiting Microsoft Exchange Server vulnerabilities are bad enough. Today, the sophistication and scale of malicious attacks are growing. Cyber criminals are implementing large-scale, multi-vector mega-attacks, sparking a need for advanced, real-time threat prevention, detection and response that protects all perimeters – networks, virtual clouds, remote offices and mobile operations.
Here are four ways managed security providers can accelerate implementing multiple tiers of defense to thwart attacks.
Early-warning detection identifies and blocks malicious traffic before threat actors disrupt operations.
It is vitally important to have visibility into your entire network, including all virtual machines, cloud apps, endpoints, mobile devices and VoIP phones. Moving data to a secure cloud environment monitored by a proven managed security provider can secure your data using next-generation firewalls and intrusion prevention systems that monitor traffic in real-time for effective cyber threat protection. Fully managed detection and response can provide 24/7/365 security monitoring and alerting of your critical systems to improve visibility, time to detection and incident response.
Harden security from any place remote works might connect from.
IDC reports that an estimated 70% of breaches start on endpoint devices … laptops, workstations, servers and mobile devices. Endpoint security protection provides deep visibility into every device and application running on-premises and in the cloud. It protects endpoints connecting to your network through the public internet with real-time treat detection, hunting and remediation, no matter where your employees are working. If a malware takes foothold of your network, managed security providers can reverse the attack with malware rollback to defuse the damage before it happens.
Protection begins with knowing where the weak spots are in your network.
Unpatched software and systems are sitting ducks for hackers. Managed security providers provide internal and external scans of network devices, servers, applications, databases and more … on-premises and in the cloud … to see what is exposed to threats and recommend corrective action. Regularly scheduled patch management can ensure weak entry points are patched and updated to proactively minimize the vectors that attackers can exploit. This includes filtering through hundreds of upgrades, testing validity of the upgrade and rolling out the upgrade across your enterprise.
Backup and recovery play a crucial role in restoring lost data in the event of attacks.
Managed security providers can swiftly respond to downtime events with cost-effective restore solutions. Seamless data backup and recovery in a managed cloud can happen in minutes to keep organizations running without interruption. You can specify recovery for an entire virtual environment or specific end-user systems, cloud applications and departmental infrastructures.